Security update for zypper, libzypp and libsolv (moderate)

ID OPENSUSE-SU-2019:1927-1
Type suse
Reporter Suse
Modified 2019-08-18T15:12:00


This update for libzypp and libsolv fixes the following issues:

Security issues fixed:

  • CVE-2018-20532: Fixed NULL pointer dereference at ext/testcase.c (function testcase_read) (bsc#1120629).
  • CVE-2018-20533: Fixed NULL pointer dereference at ext/testcase.c (function testcase_str2dep_complex) in libsolvext.a (bsc#1120630).
  • CVE-2018-20534: Fixed illegal address access at src/pool.h (function pool_whatprovides) in libsolv.a (bsc#1120631).

Fixed bugs and enhancements:

  • make cleandeps jobs on patterns work (bnc#1137977)
  • Fixed an issue where libsolv failed to build against swig 4.0 by updating the version to 0.7.5 (bsc#1135749).
  • Virtualization host upgrade from SLES-15 to SLES-15-SP1 finished with wrong product name shown up (bsc#1131823).
  • Copy pattern categories from the rpm that defines the pattern (fate#323785).
  • Enhance scanning /sys for modaliases (bsc#1130161).
  • Prevent SEGV if the application sets an empty TextLocale (bsc#1127026).
  • Handle libgpgme error when gpg key is not completely read and user hits CTRL + C (bsc#1127220).
  • Added a hint when registration codes have expired (bsc#965786).
  • Adds a better handling of an error when verifying any repository medium (bsc#1065022).
  • Will now only write type field when probing (bsc#1114908).
  • Fixes an issue where zypper has showed the info message 'Installation aborted by user' while the installation was aborted by wicked (bsc#978193).
  • Suppresses reporting /memfd: pseudo files (bsc#1123843).
  • Fixes an issue where zypper was not able to install or uninstall packages when rpm is unavailable (bsc#1122471).
  • Fixes an issue where locks were ignored (bsc#1113296).
  • Simplify complex locks so zypper can display them (bsc#1112911).
  • zypper will now set SYSTEMD_OFFLINE=1 during chrooted commits (bsc#1118758).
  • no-recommends: Nevertheless consider resolver namespaces (hardware, language,..supporting packages) (fate#325513).
  • Removes world-readable bit from /var/log/zypp (bsc#1099019).
  • Does no longer fail service-refresh on a empty repoindex.xml (bsc#1116840).
  • Fixes soname due to libsolv ABI changes (bsc#1115341).
  • Add infrastructure to flag specific packages to trigger a reboot needed hint (fate#326451).

This update for zypper 1.14.27 fixes the following issues:

  • bash-completion: add package completion for addlock (bsc#1047962)
  • bash-completion: fix incorrect detection of command names (bsc#1049826)

  • Offer to change the 'runSearchPackages' config option at the prompt (bsc#1119373, FATE#325599)

  • Prompt: provide a 'yes/no/always/never' prompt.
  • Prompt: support "#NUM" as answer to select the NUMth option...
  • Augeas: enable writing back changed option values (to ~/.zypper.conf)
  • removelocale: fix segfault
  • Move needs-restarting command to subpackage (fixes #254)
  • Allow empty string as argument (bsc#1125415)
  • Provide a way to delete cache for volatile repositories (bsc#1053177)
  • Adapt to boost-1.69 requiring explicit casts tribool->bool (fixes #255)
  • Show support status in info if not unknown (bsc#764147)
  • Fix installing plain rpm files with zypper in (bsc#1124897)
  • Show only required info in the summary in quiet mode (bsc#993025)
  • Stay with legacy behavior and return ZYPPER_EXIT_INF_REBOOT_NEEDED only for patches. We don't extend this return code to packages, although they may also carry the 'reboot-needed' attribute. The preferred way to test whether the system needs to be rebooted is zypper needs-rebooting. (openSUSE/zypper#237)
  • Skip repository on error (bsc#1123967)
  • New commands for locale management: locales addlocale removelocale Inspect and manipulate the systems requested locales, aka. the languages software packages should try support by installing translations, dictionaries and tools, as far as they are available.
  • Don't throw, just warn if options are repeated (bsc#1123865)
  • Fix detection whether stdout is a tty (happened too late)
  • Fix broken --plus-content switch (fixes bsc#1123681)
  • Fix broken --replacefiles switch (fixes bsc#1123137)
  • Extend zypper source-install (fixes bsc#663358)
  • Fix inconsistent results for search (bsc#1119873)
  • Show reboot hint in zypper ps and summary (fixes bsc#1120263)
  • Improve handling of partially locked packages (bsc#1113296)
  • Fix wrong default values in help text (bsc#1121611)
  • Fixed broken argument parsing for --reposd-dir (bsc#1122062)
  • Fix wrong zypp::indeterminate use (bsc#1120463)
  • CLI parser: fix broken initialization enforcing 'select by name' (bsc#1119820)
  • zypper.conf: [commit] autoAgreeWithLicenses {=false} (fixes #220)
  • locks: Fix printing of versioned locks (bsc#1112911)
  • locks: create and write versioned locks correctly (bsc#1112911)
  • patch: --with update may implicitly assume --with-optional (bsc#1102261)
  • no-recommends: Nevertheless consider resolver namespaces (hardware, language,..supporting packages) (FATE#325513)
  • Optionally run "zypper search-packages" after "search" (FATE#325599)
  • zypper.conf: Add [search]runSearchPackages config variable.
  • Don't iterate twice on --no-cd (bsc#1111319)
  • zypper-log: Make it Python 3 compatible
  • man: mention /etc/zypp/needreboot config file (fate#326451, fixes #140)
  • Add needs-restarting shell script and manpage (fate#326451)
  • Add zypper needs-rebooting command (fate#326451)
  • Introduce new zypper command framefork. Migrated commands so far: addlock addrepo addservice clean cleanlocks modifyrepo modifyservice ps refresh refresh-services removelock removerepo removeservice renamerepo repos services
  • MediaChangeReport: fix https URLs causing 2 prompts on error (bsc#1110542)

This update was imported from the SUSE:SLE-15:Update update project.